Tennessee District Court Deepens The “Without Authorization” Divide Under The Computer Fraud And Abuse Act

Fox Rothschild LLP
Contact

Fox Rothschild LLPA Tennessee District Court recently ruled in Wachter Inc. v. Cabling Innovations, LLC, 3:18-cv-00488 (W.D. Tenn. May 7, 2019) that two former employees with permitted access to company computers were not liable under the Computer Fraud and Abuse Act (“CFAA”) for sharing their employer’s confidential information with a competitor.  Wachter adds to the split amongst the circuit courts as to when an employee has acted “without authorization” or “exceeded authorized access” under the CFAA.   In part, the CFAA prohibits “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] . . . information from any protected computer.” 18 U.S.C. § 1030(a)(5)(C).

In Wachter, two former employees with access to company computers and computer systems allegedly obtained information for personal gain and for the benefit of Wachter’s competitor, Cabling Innovations, LLC.  The employees allegedly shared their employer’s confidential information and trade secrets without permission.

The Court in Wachter noted that the CFAA fails to define “without authorization” and acknowledged the split amongst the jurisdictions in interpreting the term.  Thereafter, and consistent with prior decisions from the Sixth Circuit, the Court narrowly interpreted the CFAA holding that there “cannot be a CFAA violation where an employee has lawful access to his computer.”  The Court’s holding continued that the “[CFAA] was not meant to cover the disloyal employee who walks off with confidential information. Rather, the statutory purpose is to punish trespassers and hackers.”  Lastly, Wachter stresses the need to construe the CFAA, a criminal statute, narrowly within the context of civil proceedings.

Cases from the Second, Fourth, and Ninth Circuits echo Wachter’s narrow and literal interpretation of the CFAA.  The Court of Appeals for the Fourth Circuit in WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012) held that “an employee is authorized to access a computer when his employer approves or sanctions his admission to that computer.”  The Court in WEC stated that to exceed authorized access “refers to obtaining or altering information beyond the limits of the employee’s authorized access.  It does not address the use of information after access.”   In U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012), a former employee received confidential information from his still employeed and former assistance who had current log-in credentials.  Despite the assistant violating the employer’s disclosure policy, the Ninth Circuit held that such conduct was not “without authorization, or exceed[ing] authorized access” because the assistant “had permission to access the company database and obtain the information contained within.”

A number of jurisdictions have adopted an expansive view of the CFAA and recognized instances when an employee’s conduct went beyond authorized access.  The Court of Appeals for the Seventh Circuit held in Int’l Airport Ctrs., LLC, v. Citrin, 440 F.3d 418 (7th Cir. 2006) that a former employee’s authorized access terminated “when, having already engaged in misconduct and decided to quit…he resolved to destroy files that incriminated himself and other files that were also the property of his employer, in violation of the duty of loyalty that agency law imposes on an employee.”  Citrin continued that the “breach of [the employee’s] duty of loyalty terminated his agency relation…and with it his authority to access the laptop, because the only basis of his authority had been that relationship.”

Opinions from the Eleventh and Fifth Circuit have held that an employee who accesses information beyond the purposes of his granted authority exceeds his authorized access.  In U.S. v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010), the Court of Appeals for the Eleventh Circuit held that a former Social Security Administration (the “SSA”) employee violated the CFAA upon accessing personal records maintained by the SSA for non-business purposes.  The Court in Rodriguez ruled that “the plain language of the [CFAA] forecloses any argument that Rodriquez did not exceed his authorized access” when he accessed personal information that he was authorized to access only for business reasons.  Similarly, in U.S. v. John, 597 F.3d 263 (5th Cir. 2010), the Fifth Circuit Court of Appeals held that a former Citigroup employee exceeded her authorization when she shared personal customer information in violation of Citigroup’s policy prohibiting the misappropriation of confidential information contained on Citigroup’s computer systems.  The opinion in John offers guidance that “authorization access” as used in the CFAA, “may encompass limits placed on the use of information obtained by permitted access.”

The Supreme Court has yet to address to divergence amongst the circuit courts relating to the CFAA.  As such, and given the conflicting jurisdictional interpretations, it is important that businesses (i) clearly communicate access policies to their employees, (ii) review existing confidentiality and non-disclosure policies with both management and employees, and (iii) implement policies and procedures to quickly limit the access rights of terminated or otherwise restricted employees.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP
Contact
more
less

Fox Rothschild LLP on:

Reporters on Deadline

Related Case Law

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.